Need Professional Security Testing?
Our penetration testers find vulnerabilities before attackers do. Get a comprehensive security assessment.
What Is Public Key Cryptography
Public key cryptography (also called asymmetric cryptography) is a cryptographic system that uses mathematically linked key pairs: a public key that can be freely shared and a private key that must be kept secret. Unlike symmetric encryption where both parties share a single secret key, public key cryptography solves the key distribution problem — two parties can communicate securely without ever having exchanged a secret in advance.
Public key cryptography is the foundation of digital signatures, TLS/HTTPS, SSH, PGP email encryption, cryptocurrency, and certificate-based authentication. Invented independently by Diffie-Hellman (1976) and Rivest-Shamir-Adleman (RSA, 1977), it remains one of the most important innovations in the history of computer science.
How Public Key Cryptography Works
A key pair is generated using a mathematical trapdoor function — an operation that is easy to compute in one direction but computationally infeasible to reverse:
Core Operations
| Operation | Uses | How It Works |
|---|---|---|
| Encryption | Public key | Anyone can encrypt a message using the recipient's public key. Only the matching private key can decrypt it. |
| Decryption | Private key | Only the private key holder can decrypt messages encrypted with their public key. |
| Signing | Private key | The sender signs a message using their private key, creating a digital signature. |
| Verification | Public key | Anyone can verify the signature using the signer's public key, confirming authenticity and integrity. |
Common Algorithms
| Algorithm | Based On | Key Sizes | Status |
|---|---|---|---|
| RSA | Integer factorization | 2048-4096 bit | Widely used; 2048-bit minimum recommended |
| ECDSA | Elliptic curve discrete logarithm | 256-384 bit | Preferred for performance; same security with smaller keys |
| Ed25519 | Twisted Edwards curve | 256-bit | Modern; fast, constant-time, resistant to side channels |
| X25519 | Montgomery curve | 256-bit | Key exchange (Diffie-Hellman); used in TLS 1.3 and WireGuard |
| Kyber | Lattice-based | Various | Post-quantum candidate; NIST standardized as ML-KEM |
Common Use Cases
- Understanding TLS/HTTPS: Learn how web browsers and servers use public key cryptography to establish encrypted connections
- SSH key management: Understand why SSH key pairs work and how Ed25519 differs from RSA for server authentication
- Digital signature concepts: Explore how code signing, document signing, and certificate chains rely on asymmetric operations
- Post-quantum awareness: Understand why current public key algorithms are vulnerable to quantum computers and what replacement algorithms are being standardized
- Certificate authority trust: Learn how the chain of trust from root CAs to leaf certificates uses public key signing
Best Practices
- Use Ed25519 for new deployments — Unless compatibility requires RSA or ECDSA, Ed25519 provides the best combination of security, performance, and implementation safety.
- Minimum RSA key size: 2048 bits — NIST and major browsers require at least 2048-bit RSA keys. Plan migration to 3072-bit or 4096-bit for longevity beyond 2030.
- Protect private keys with hardware — Store private keys in Hardware Security Modules (HSMs), TPMs, or secure enclaves. Never store unprotected private keys on disk.
- Prepare for post-quantum cryptography — NIST finalized ML-KEM (Kyber) and ML-DSA (Dilithium) as post-quantum standards. Begin evaluating hybrid deployments that combine classical and post-quantum algorithms.
- Rotate keys on a schedule — Even without compromise, rotate keys periodically. TLS certificates expire (typically 90-398 days), and SSH keys should be rotated at least annually.
ℹ️ Disclaimer
This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.